An Enhanced ID-based Deniable Authentication Protocol on Pairings

Transcription

1 An Enhanced ID-based Deniable Authentication Protocol on Pairings Meng-Hui Lim*, Sanggon Lee**, Youngho Park***, Hoonjae Lee** *Department of Ubiquitous IT, Graduate school of Design & IT, Dongseo University, Busan , Korea **Department of Information & Communication, Dongseo University, Busan , Korea {nok60, ***School of Electronics and Electrical Engineering, Sangju National University, Sangju-Si, Gyeongsangbuk-do , Korea Abstract. Deniability is defined as a privacy property which enables protocol principals to deny their involvement after they had taken part in a particular protocol run. Lately, Chou et al. had proposed their ID-based deniable authentication protocol after proving the vulnerability to Key-Compromise Impersonation (KCI) attack in Cao et al. s protocol. In addition, they claimed that their protocol is not only secure, but also able to achieve both authenticity and deniability properties. However, in this paper, we demonstrate that Chou et al. protocol is not flawless as it remains insecure due to its susceptibility to the KCI attack. Based on this, we propose an enhanced scheme which will in fact preserves the authenticity, the deniability and the resistance against the KCI attack. 1 Introduction Nowadays, authentication had emerged to be an essential communication process in key establishment. In fact, the aim of this process is to assure the receiver by verifying the digital identity of the sender, especially when communicating via an insecure electronic channel. Authentication can be realized by the use of digital signature in which the signature (signer s private key) is tied to the signer as well as the message being signed. This digital signature can later be verified easily by using the signer s public key. Hence, the signer will not be able to deny his participation in this communication. Generally, this notion is known as non-repudiation. However, under certain circumstances such as electronic voting system, online shopping and negotiation over the internet, the non-repudiation property is undesirable. It is important to note that in these applications, the sender s identity should be revealed only to the intended receiver. Therefore, a significant requirement for the protocol is to enable a receiver to identify the source of a given message, and at the same time, unable to convince to a third party on the identity of the sender even if the receiver reveal his own secret key to the third party. This protocol is known as deniable authentication protocol.

2 In the past several years, numerous deniable authentication protocols have been proposed but many of them have also been proven to be vulnerable to various cryptanalytic attacks [6, 7, 15, 16]. The concept of deniable authentication protocol was initially introduced by Dwork et al. [9], which is based on the concurrent zero knowledge proof. However, this scheme requires a timing constraint. Not only that, the proof of knowledge is also time-consuming [8]. Another notable scheme which was developed by Aumann and Rabin [1, 2] is based on the intractability of the factoring problem, in which a set of public data is needed to authenticate one bit of a given message. Few years later, Deng et al. [8] have proposed two deniable authentication schemes based on Aumaan and Rabin s scheme. The proposed schemes are based on the intractability of the factoring problem and the logarithm problem. However, in 2006, Zhu et al. [16] have successfully demonstrated the Manin-the-Middle attack against Aumann and Rabin s scheme and this indirectly results in an insecure implementation of Deng et al. s schemes. In 2003, Boyd and Mao [4] have proposed another 2 deniable authenticated key establishment for Internet protocols based on elliptic curve cryptography. These schemes are believed to be able to solute the complexity of computation and appear to be more efficient than others but their vulnerability to KCI attack has been exploited by Chou et al. [6] in Besides that, Fan et al. [10] have proposed a simple deniable authentication protocol based on Diffie-Hellman key distribution protocol in Unfortunately, in 2005, Yoon et al. [15] have pointed out that their protocol suffers from the intruder masquerading attack and subsequently proposed their enhanced deniable authentication protocol based on Fan et al. s scheme. In addition, in 2005, Cao et al. [5] have proposed an efficient ID-based deniable authentication protocol which enables a dynamic shared secret to be derived as a session key. Unfortunately, in 2006, Yoon et al. s enhanced scheme and Cao et al. s scheme are proven to be impractical and susceptible to KCI attack respectively by Chou et al. [7]. Moreover, Chou et al. have proposed another new deniable authentication protocol [7] and they have claimed that their proposed protocol has achieved strong deniability as well as authenticity with great resistance against KCI attack. However, we discover that the analysis of resistance against the KCI attack in their proposed scheme is inadequate. Hence, in this paper, we will prove that Chou et al. s ID-based deniable authentication protocol on pairings remains insecure due to its vulnerability to the KCI attack. Besides that, we will also propose our improvements on this scheme in resisting the attack. The structure of this paper is organized as follows. In the next section, we will illustrate some basic properties of bilinear pairings and review Chou et al. s ID-based deniable authentication protocol. In Section 3, we will present our attack on Chou et al. s deniable authentication protocol. In Section 4, we will illustrate our improvements on Chou et al. s deniable authentication protocol and its associated security proofs. Last but not least, we will conclude this paper in Section 5.

3 2 Review of Chou et al. s Scheme In this section, we will introduce the basic properties of bilinear pairings, the Bilinear Diffie-Hellman Problem and the Discrete Logarithm Problem. Then, we will provide a brief review on Chou et al. s ID-based deniable authentication protocol. 2.1 Preliminary Let G 1 be a cyclic additive group of a large prime order, q and G 2 be a cyclic multiplicative group of the same order, q. Let e: G 1 x G 1 G 2 be a bilinear pairing with the following properties: a) Bilinearity: e(ap, bq) = e(p, Q) ab = e(abp, Q) (1) for any P, Q G 1, a, b Z q *. b) Non-degeneracy: There exists P, Q G 1 such that e(p,q) 1. c) Computability: There is an efficient algorithm to compute e(p,q) for any P, Q G 1. A bilinear map which satisfies all three properties above is considered as admissible bilinear. It is noted that the Weil and Tate pairings associated with the supersingular elliptic curves or abelian varieties, can be modified to create such bilinear maps. Now, we describe some mathematical problems: Bilinear Diffie-Hellman Problem (BDHP): Let G 1, G 2, P and e be as above with order q being prime. Given (P, ap, bp, cp) with a, b, c Z q *, compute e(p, P) abc G 2. An algorithm α is deemed to have an advantage ε in solving the BDHP in (G 1, G 2, e) based on the random choices of a, b, c in Z q * and the internal random operation of α if Pr[α((P, ap, bp, cp)) = e(p, P) abc ] ε. (2) Discrete Logarithm Problem (DLP): Suppose that we are given two groups of elements P and Q, such that Q = np. (3) Find the integer n whenever such an integer exists. Throughout this paper, we assume that BDHP is a hard computational problem such that there is no polynomial time algorithm to solve BDHP and DLP with nonnegligible probability. 2.2 Chou et al. s ID-based Deniable Authentication Protocol Suppose that two communication parties, Alice and Bob wish to communicate with each other. The Private Key Generator (PKG) picks a master key s Z q * and sets P pub = sp. (4)

4 For a given string ID {0, 1}*, the PKG computes the public key, and the private key, Q ID = H(ID) (5) S ID = sq ID, (6) where s is the master key. Hence, Alice and Bob s public/private key pairs are denoted as Q A /S A and Q B /S B respectively. Assume that all the hash functions employed in this protocol are collision-free. We describe Chou et al. s protocol as follows: Step 1. Alice chooses a random number, r A Z q *, computes u = r A Q A (7) and then sends (ID A, u) to Bob. Step 2. After receiving (ID A, u), Bob chooses a random number, r B Z q * and calculates and sends (ID B, f) to Alice. Step 3. After receiving (ID B, f), Alice computes h B = H(e(u, S B )), (8) f = h B r B, (9) h A = H(e(r A S A, Q B )), (10) r B = h A f, (11) X A = H(x A ), where x A = e(r B Q B, P pub ), (12) and subsequently computes the session key, Y A = H(y A ), where y A = e(r B S A, P), (13) K A = e(s A, Q B ) X A YA. (14) Suppose that m A is the message which Alice s would like to send together with her ID. She computes and sends (g A, m A ) to Bob. Step 4. After receiving (g A, m A ), Bob calculates Then, he computes the session key g A = H(ID B, m A, x A, y A, K A ) (15) X B = H(x B ), where x B = e(r B S B, P), (16) Y B = H(y B ), where y B = e(r B Q A, P pub ). (17) K B = e(q A, S B ) X B Y B. (18)

5 Finally, Bob computes g B = H(ID B, m A, x B, y B, K B ) (19) and compares whether g A = g B. If it does (does not), Bob accepts (rejects) the session key. Alice Bob Choose: r A Z q * Compute: u = r A Q A ID A, u Choose: r B Z q * Compute: h B = H(e(u, S B )) ID B, f Compute: f = h B r B Compute: h A = H(e(r A S A, Q B )) Compute: r B = h A f Compute: X A = H(x A ), Y A = H(y A ) where x A = e(r B Q B, P pub ), y A = e(r B S A, P) Compute: K A = e(s A, Q B ) X A Y A Compute: g A = H(ID B, m A, x A, y A, K A ) g A, m A Compute: X B = H(x B ), Y B = H(y B ) where x B = e(r B S B, P), y B = e(r B Q A, P pub ) Compute: K B = e(q A, S B ) X B Y B Compute: g B = H(ID B, m A, x B, y B, K B ) Check whether g A = g B Fig. 1. Chou et al. s ID-Based Deniable Authentication Protocol 3 Our Attack In this section, we will depict how Chou et al. s scheme can be intruded by using KCI Attack. In fact, this attack is deemed successful only if the adversary manages to

6 masquerade as another protocol principal to communicate with the victim after the victim s private key has been compromised. Alice (Eve) Bob Choose: r A Z q * Compute: u = r A Q A ID A, u Choose: r B Z q * Compute: h B = H(e(u, S B )) ID B, f Compute: f = h B r B Compute: h A = H(e(u, S B )) Compute: r B = h A f Compute: X A = H(x A ), Y A = H(y A ) where x A = e(r B Q B, P pub ), y A = e(r B Q A, P pub ) Compute: K A = e(q A, S B ) X A Y A Compute: g A = H(ID B, m A, x A, y A, K A ) g A, m A Compute: X B = H(x B ), Y B = H(y B ) where x B = e(r B S B, P), y B = e(r B Q A, P pub ) Compute: K B = e(q A, S B ) X B Y B Compute: g B = H(ID B, m A, x B, y B, K B ) Check whether g A = g B Fig. 2. KCI attack on Chou et al. s Scheme Assume that an adversary, Eve has the knowledge of Bob s private key S B and he intends to launch the KCI attack against Bob by pretending Alice to communicate with him. Hence, Eve is able to carry out his attack as follows: Step 1. Eve chooses a random number, r A Z q * and computes u from Eq. (7) by using r A. Then, he initiates the communication by sending (ID A, u ) to Bob. Step 2. After receiving (ID A, u ), Bob thought that Alice is trying to communicate with him. Then, he chooses a random number, r B Z q * and by using u, he calculates h B from Eq. (8) as well as f from Eq. (9). After that, he sends (ID B, f ) to Alice.

7 Step 3. After intercepting (ID B, f ), Eve attempts to compute h A, r B, X A, Y A, K A and g A. As Alice s secret key S A is unknown, Eve is unable to compute pairings which involve S A. However, it is crucial to note that: h A = e(r A S A, Q B ) = e(s(r A Q A ), Q B ) = e(r A Q A, sq B ) = e(u, S B ), (20) y A = e(r B S A, P)= e(s(r B Q A ), P) = e(r B Q A, sp) = e(r B Q A, P pub ), (21) K A = e(s A, Q B ) X A Y A = e(sq A, Q B ) X A Y A = e(q A, sq B ) X A Y A = e(q A, S B ) X A Y A. (22) Since u is originated from Eve and S B is known, he is then able to compute h A, r B, X A, Y A, K A and g A by using Eqs. (20), (11), (12), (21), (22) and (15) accordingly. Suppose that m A is the corrupted message which Eve would like to send to Bob by using Alice s ID. After g A is computed, he send (g A, m A ) over to Bob. Step 4. After receiving (g A, m A ), Bob calculates X B, Y B, the session key K B and g B by using Eqs. (16), (17), (18) and (19) respectively. Since g A and g B are always equal, Bob will eventually accept the session key and truly believes that he is communicating with Alice although he is in fact communicating with Eve. Hence, our KCI attack is successful. 4 Our Enhancement Scheme As we have noticed in the previous section, Chou et al. s scheme has fallen into the KCI attack mainly due to their failure in concealing the value of h B when S B is exposed. Once the adversary has obtained r B from h B, he is able to derive all the subsequent parameters as well as the valid session key. In other words, the values of h A and h B should be obscured even if S A or S B has been compromised so as to resist the KCI attack. 4.1 Protocol Improvement Description Now, we propose an enhanced ID-based deniable authentication protocol by introducing an extra parameter and a pair of equivalent modified hashed pairings v = r B Q B (23) h A = H(e(r A S A, r B Q B )) = H(e(r A S A, v)), (24) h B = H(e(r A Q A, r B S B )) = H(e(u, r B S B )) (25) in order to protect the values of h A and h B against the KCI attack. As similar to the previous scheme, our enhanced ID-based deniable authentication protocol can be described as follows: Step 1. Alice chooses a random number, r A Z q *, computes u from Eq. (7) and then, sends (ID A, u) to Bob.

8 Alice Bob Choose: r A Z q * Compute: u = r A Q A ID A, u Choose: r B Z q * Compute: v = r B Q B Compute: h B = H(e(u, r B S B )) ID B, f, v Compute: f = h B r B Compute: h A = H(e(r A S A, v)) Compute: r B = h A f Compute: X A = H(x A ), Y A = H(y A ) where x A = e(r B Q B, P pub ), y A = e(r B S A, P) Compute: K A = e(s A, Q B ) X A Y A Compute: g A = H(ID B, m A, x A, y A, K A ) g A, m A Compute: X B = H(x B ), Y B = H(y B ) where x B = e(r B S B, P), y B = e(r B Q A, P pub ) Compute: K B = e(q A, S B ) X B Y B Compute: g B = H(ID B, m A, x B, y B, K B ) Check whether g A = g B Fig. 3. Enhanced ID-Based Deniable Authentication Protocol Step 2. After receiving (ID A, u), Bob chooses a random number, r B Z q * and calculates v from Eq. (23) and h B from Eq. (25). Then Bob computes f from Eq. (9) and sends (ID B, f, v) to Alice. Step 3. After receiving (ID B, f, v), Alice computes h A from Eq. (24) and r B from Eq. (11). Then, she calculates X A, Y A, and the session key K A from Eqs. (12), (13) and (14) respectively. After that, she computes g A from Eq. (15) and sends (g A, m A ) to Bob eventually. Step 4. After receiving (g A, m A ), Bob calculates X B, Y B and the session key K B from Eqs. (16), (17) and (18) respectively. At last, he computes g B from Eq. (19) and checks whether g A = g B. If it does (does not), Bob accepts (rejects) the sesson key.

9 4.2 Protocol Security Analysis In this section, we will scrutinize our enhanced ID-based deniable authentication protocol in order to ensure that the security requirements for a deniable authentication protocol are satisfied. Lemma 1. Our enhanced protocol is deniable. Proof: Once (g A, m A ) is received in Step 4, Bob can easily identify the source of the message, m A since the message is integrated with Alice s ID. After verifying g A = g B, Bob can be assured that the message is originated from Alice. If Bob intends to expose the message sender s identity to a third party, Alice would be able to repudiate as she would argue that Bob could also generate (g A, m A ) by using his private key. Hence, the deniability property is satisfied. Lemma 2. Our enhanced protocol principal is able to authenticate the received message. Proof: Once (g A, m A ) is received, Bob is able to authenticate the message by comparing whether g A = g B. It is noted that the computation of g A is constituted from x A = e(r B Q B, P pub ), y A = e(r B S A, P), K A = e(s A, Q B ) X AY A and the computation of gb is constituted from x B = e(r B S B, P), y B = e(r B Q A, P pub ), K B = e(q A, S B ) X BY B. Since each g A and g B is a computational result of Alice and Bob s public/private key pairs, Bob can be assured that the message is originated from Alice. Hence, the authenticity property is satisfied. Lemma 3. The enhanced protocol is able to resist the KCI attack. Proof: The resistance of the enhanced protocol towards KCI attack is analyzed by considering the 2 scenarios below: a) Alice s private key, S A has been compromised. Initially, Alice chooses a random number r A, computes u from Eq. (7) and then sends (ID A, u) to Bob. Eve intercepts (ID A, u) and attempts to derive h A or h B so as to compute the session key. Eve chooses a random number, r B and calculates v from Eq. (23) by using r B. However, Eve is unable to compute h B from Eq. (25) as he does not know S B. Alternatively, Eve is also not capable of calculating h A from Eq. (24) because he has no knowledge about r A. Hence, the KCI attack fails. b) Bob s private key, S B has been compromised. Eve intends to masquerade as Alice to communicate with Bob. Eve initially chooses a random number r A, computes u from Eq. (7) by using r A and then, sends (ID A, u ) to Bob. Bob chooses a random number r B, and calculates v from Eq. (23) and h B from Eq. (25). Then Bob computes f from Eq. (9) and sends (ID B, f, v) back to Alice. Eve intercepts (ID B, f, v) and attempts to derive h A or h B. However, Eve is unable to compute h A from Eq. (24) as he does not know S A. Alternatively, Eve is also incapable of calculating h B from Eq. (25) because he has no knowledge about r B. Hence, the KCI attack fails. 5 Conclusion In this paper, we have pointed out the weakness of Chou et al. s ID-based deniable authentication protocol against KCI attack. Besides that, we have also demonstrated

10 our improvements by modifying one of the hashed pairings for each sender and receiver with a scalar multiplication in their scheme in order to resist the KCI attack. More significantly, we have carried out a detailed security analysis and we have proven our enhanced ID-based Deniable Authentication Protocol to be capable of preserving all the desired properties of an ID-based deniable authentication protocol. 6 Reference [1] Yonatan Aumann, Michael O. Rabin, Authentication, Enhanced Security and Error Correcting Codes (Extended Abstract). CRYPTO 1998, [2] Yonatan Aumann, Michael O. Rabin, Efficient Deniable Authentication of Long Messages, Int. Conf. on Theoretical Computer Science in honour of Professor Manuel Blum s 60th birthday, ( [3] D. Boneh and M. Franklin, Identity-based encryption from the Weil pairing, Advances in Cryptology-Crypto 2001, LNCS 2139, Springer-Verlag, 2001, pp [4] C. Boyd, W. Mao, K. G. Paterson. Deniable authenticated key establishment for Internet protocols, 11th International Workshop on Security Protocols, Cambridge (UK), April [5] T. J. Cao, D. D. Lin and R. Xue, An Efficient ID-based Deniable Authentication Protocol from Pairings, Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA 05) [6] J. S. Chou, Y. L. Chen, J. C. Huang, A ID-Based Deniable Authentication Protocol on pairings, Cryptology eprint Archive: Report, (335)(2006). [7] J. S. Chou, Y. L. Chen, M. D. Yang, Weaknesses of the Boyd-Mao Deniable Authenticated key Establishment for Internet Protocols, Cryptology eprint Archive: Report, (451)(2005). [8] X. Deng, Lee, C. H. Lee, and H. Zhu, Deniable authentication protocols, IEE Proc. Comput. Digit. Tech., Vol. 148 (2), March 2001, pp [9] C. Dwork, M. Naor, A. Sahai, Concurrent zero-knowledge, Proc. 30th ACM STOC 98, Dallas TX, USA, 1998, pp [10] L. Fan, C. X. Xu, J. H. Li, Deniable authentication protocol based on Diffie-Hellman algorithm, Electronics Letters 38. (4) (2002) [11] S. Q. Jiang, Deniable Authentication on the Internet, Cryptology eprint Archive: Report, (082)(2007). [12] K. G. Paterson. Cryptography from pairings: a snapshot of current research, Information Security Technical Report, Vol. 7(3) (2002), [13] R. Sakai and K. Ohgishiand, Cryptosystems based on pairing, in the 2000 Symposium on Cryptography and Information Security, Okinawa, Japan,(2000). [14] S. B. Wilson, and A. Menezes, Authenticated Diffie-Hellman key agreement protocols, Proceedings of the 5th Annual Workshop on Selected Areas in Cryptography (SAC 98), LNCS, (1999) ( ). [15] E. J. Yoon, E. K. Ryu, K. Y. Yoo, Improvement of Fan et al.'s Deniable Authentication Protocol based on Diffie-Hellman Algorithm, Applied Mathematics and Computation, Vol. 167 (1), August 2005, pp [16] Robert W. Zhu, Duncan S. Wong, and Chan H. Lee, Cryptanalysis of a Suite of Deniable Authentication Protocols, IEEE COMMUNICATIONS LETTERS, VOL. 10, NO. 6, JUNE 2006, pp